CN116016188A - NFV access method, device, system and storage medium - Google Patents

NFV access method, device, system and storage medium Download PDF

Info

Publication number
CN116016188A
CN116016188A CN202211728770.9A CN202211728770A CN116016188A CN 116016188 A CN116016188 A CN 116016188A CN 202211728770 A CN202211728770 A CN 202211728770A CN 116016188 A CN116016188 A CN 116016188A
Authority
CN
China
Prior art keywords
tunnel
information
nfv
instance
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211728770.9A
Other languages
Chinese (zh)
Inventor
宗志刚
薛蹦蹦
伍孝敏
彭小新
祝顺民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Alibaba China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd filed Critical Alibaba China Co Ltd
Priority to CN202211728770.9A priority Critical patent/CN116016188A/en
Publication of CN116016188A publication Critical patent/CN116016188A/en
Priority to PCT/CN2023/143656 priority patent/WO2024141093A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0895Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/24Multipath
    • H04L45/243Multipath using M+N parallel active paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides an NFV access method, equipment, a system and a storage medium. In the embodiment of the application, a gateway device is arranged between a client VPC and a service VPC, is responsible for intercepting a data message of a client instance in the client VPC requesting access to an NFV instance in the service VPC, performs two-layer tunnel encapsulation on the data message, encapsulates tenant information of the client instance as inner-layer tunnel information to the inner layer, and presents the identity of the gateway device to the outside uniformly, so that a virtual switch of the NFV instance does not process the inner-layer tunnel information any more, does not see tenant information of the client instance, and allows more users to access the NFV instance without the limitation of access resource specifications such as a virtual network card supported by the virtual switch, thereby realizing the NFV instance with larger specification.

Description

NFV access method, device, system and storage medium
Technical Field
The present application relates to the field of cloud computing technologies, and in particular, to an NFV access method, device, system, and storage medium.
Background
Network function virtualization (Network Function Virtualization, NFV) is a network service virtualization technology that can decouple the software functions and hardware platforms of a network device, avoid provisioning bindings, and at the same time, NFV technology is rapidly evolving because of higher iteration efficiency of the software functions.
After cloud computing is raised, NFV technology has become the basic technology for cloud computing network construction because of the need for fast iteration. So far, the NFV technology in the cloud network has evolved in two generations, the first generation is constructed by adopting a physical server mode, namely, NFV network elements are deployed on a physical server, but because the supply of the physical server is still constrained by the supply period of a hardware server, the NFV technology gradually evolves to the second generation based on cloud primary resources, namely, the NFV network elements are not deployed on the physical server any more, but are deployed on various cloud computing examples, and the purposes of elasticity optimization are achieved by utilizing the mass property of cloud computing resources, constructing according to requirements and obtaining the NFV network elements at any time.
However, when the cloud computing instance is used as a carrier, the NFV network element on the cloud is restricted to a certain extent in terms of user access, and only a limited number of users can be accessed, so that the NFV network element with larger specification cannot be realized.
Disclosure of Invention
Aspects of the present application provide a method, an apparatus, a system, and a storage medium for NFV access, which are used to solve the problem of user access of NFV network elements on a cloud, allow more users to access, and implement NFV network elements with larger specifications.
The embodiment of the application provides an NFV access system, which comprises: the first gateway equipment is connected between the client virtual private cloud VPC and the service VPC; the client VPC comprises a client instance and a first virtual switch VS for providing data forwarding service for the client instance, wherein the service VPC comprises an NFV instance carrying an NFV network element and a second VS for providing data forwarding service for the NFV instance; the first gateway device is configured to intercept a data packet of the client instance accessing the NFV instance through the first VS, perform inner-layer tunnel encapsulation on the data packet by using tenant information of the client instance as inner-layer tunnel information, perform outer-layer tunnel encapsulation on a packet subjected to inner-layer tunnel encapsulation by using identity information of the first gateway device, and send the packet subjected to outer-layer tunnel encapsulation to the second VS, so that the second VS forwards the packet to the NFV instance, thereby implementing access of the NFV instance.
The embodiment of the application also provides an NFV access method, which is applied to the first gateway device, and comprises the following steps: intercepting a data message of an NFV instance accessed by a client instance through a first virtual switch VS; taking tenant information of the client instance as inner layer tunnel information to perform inner layer tunnel encapsulation on the data message; carrying out outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel by using the identity information of the first gateway equipment; and sending the message packaged by the outer layer tunnel to a second VS corresponding to the NFV instance, so that the second VS is forwarded to the NFV instance, and the access of the NFV instance is realized.
The embodiment of the application also provides an NFV access method applied to the second gateway device, which comprises the following steps: receiving a first tunnel message sent by a first Virtual Switch (VS), wherein the first tunnel message is obtained by performing tunnel encapsulation on a data message of a client instance for accessing an NFV instance by the first VS, and the tunnel information of the first tunnel message comprises tenant information of the client instance; repackaging the first tunnel message into a second tunnel message, and sending the second tunnel message and tenant information of the client instance to first gateway equipment, so that the first gateway equipment can perform inner tunnel encapsulation on the data message by taking the tenant information of the client instance as inner tunnel information, and perform outer tunnel encapsulation on the message subjected to the inner tunnel encapsulation by using identity information of the first gateway equipment, and then forward the message to the NFV instance through a second VS, thereby realizing access of the NFV instance.
The embodiment of the application provides gateway equipment, which comprises: a memory and a processor, the memory for storing a computer program; the processor is coupled to the memory for executing the computer program to cause the processor to implement steps in an NFV access method performed by a first gateway device or steps in an NFV access method performed by a second gateway device.
The embodiments provide a computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to implement steps in an NFV access method performed by a first gateway device or steps in an NFV access method performed by a second gateway device.
In the embodiment of the application, a gateway device is arranged between a client VPC and a service VPC, is responsible for intercepting a data message of a client instance in the client VPC requesting access to an NFV instance in the service VPC, performs two-layer tunnel encapsulation on the data message, encapsulates tenant information of the client instance as inner-layer tunnel information to the inner layer, and presents the identity of the gateway device to the outside uniformly, so that a virtual switch of the NFV instance does not process the inner-layer tunnel information any more, does not see tenant information of the client instance, and allows more users to access the NFV instance without the limitation of access resource specifications such as a virtual network card supported by the virtual switch, thereby realizing the NFV instance with larger specification.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a schematic diagram of a NFV system architecture based on cloud native resources;
fig. 2 is a schematic structural diagram of an NFV access system according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of another NFV access system according to an embodiment of the present application;
fig. 4 is an application scenario schematic diagram of an NFV access system provided in an exemplary embodiment of the present application;
fig. 5 is a flow chart of an NFV access method provided in an embodiment of the present application;
fig. 6 is a flow chart of another NFV access method provided in an embodiment of the present application;
fig. 7 is a schematic structural diagram of an NFV access device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of another NFV access device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a gateway device according to an embodiment of the present application.
Detailed Description
For the purposes, technical solutions and advantages of the present application, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Fig. 1 is a schematic structural diagram of an NFV system based on cloud native resources. As shown in fig. 1, the system includes: a plurality of VPCs; VPC is a logically isolated network environment built on a physical network using virtualization technology. Among them, the physical network includes various physical resources, for example, physical machines, switches, gateways, or the like. One or more VPCs may be deployed on physical resources in one region (region), with the same VPC typically deployed in one region. In this embodiment, service instances are deployed in each VPC, and these service instances can access each other. In the embodiment of the present application, from the viewpoint of service instances, VPCs are divided, and a plurality of VPCs are divided into a client VPC11 and a service VPC12. Wherein the client VPC11 may be one or more and the service VPC12 may be one or more. Each client VPC11 belongs to one tenant, and different clients VPC11 may belong to the same tenant or different tenants, which is not limited.
In embodiments of the present application, the service VPC12 refers to a VPC capable of providing NFV network elements based on cloud native resources, where the VPC includes at least one NFV network element, for example, server load balancing (Server Load Balancing, SLB), network address translation (Network Address Translation, NAT), forwarding Router (TR), and the like, where the NFV network elements are carried on cloud computing instances, and for convenience of description and distinction, cloud computing instances carrying the NFV network elements in the service VPC12 are referred to as NFV instances. In this embodiment, an NFV instance represents an NFV network element carried on the NFV instance. NFV instances may be various cloud computing instances such as Virtual Machines (VM), containers, bare metal servers, elastic computing services (Elastic Compute Service, ECS), or field programmable gate arrays (Field Programmable Gate Array, FPGA) based cloud computing services. Different types of NFV network elements can be provided by using cloud computing examples with different specifications, for example, seven layers of SLBs have higher requirements on computing power, a computing ECS can be selected as a carrier, four layers of SLBs have higher requirements on forwarding throughput, and a network ECS can be selected as a carrier.
In embodiments of the present application, the client VPC11 refers to a VPC that provides a client instance, where the client instance refers to a cloud computing instance that needs to use a service provided by an NFV network element, for example, but not limited to: VM, ECS, service module or application instance, etc. Each client VPC11 includes at least one client instance, where the client instances are carried on one or more physical machines, and each physical machine is further deployed with a Virtual Switch (VS) that is responsible for providing a data forwarding service for the client instance on the physical machine. Accordingly, the service VPC12 includes at least one NFV instance, where the number of the same NFV instance is one or more, and the NFV instances are carried on one or more physical machines, and VS is disposed on each physical machine and is responsible for providing data forwarding service for the NFV instance on the physical machine. Wherein the VS may specifically employ an open virtual switch (Open Virtual Switch, OVS). For ease of distinction and description, the VS in the client VPC11 that provides the data forwarding service for the client instance is referred to as a first VS, and the VS in the service VPC12 that provides the data forwarding service for the NFV instance is referred to as a second VS.
In this embodiment, the basic functions of NFV instances include high availability of Equal Cost Multi-path (ECMP) and Multi-tenant access. In the system shown in fig. 1, the ECMP capability of the NFV instance opens up network connectivity between the cloud tenant and the NFV instance through an ENI-binding (binding) technology, that is, an elastic network card (Elastic Network Interface, ENI) is deployed in each client VPC11, the ENI has a private network IP address, and can be mounted on the NFV instance, and the NFV instance is represented by the private network IP address that the ENI has and the port number of the NFV instance, so that the client instance in the client VPC11 can access the NFV instance through the ENI. The ENIs mounted on the same NVF instance in different client VPC11 may have the same private network IP address, or may have different private network IP addresses, which is not limited. In this embodiment, different encs represent different tenants, and there is a one-to-one correspondence between the encs and the tenants.
In the system shown in fig. 1, multiple tenants access, through an ENI-trunk technology, traffic from different ENIs (traffic from different ENIs represents traffic of different tenants) is marked with different virtual local area network (Virtual Local Area Network, VLAN) TAGs (TAGs) in the process of forwarding to NFV instances, that is, different tenants are identified through different VLAN TAGs, so that isolation between tenants is realized.
In the system shown in fig. 1, NFV access or access procedures based on the above-described ENI-bonding and ENI-binding techniques are as follows:
when a client instance in the client VPC requests to access an NFV instance in the service VPC, the data message reaches a VS (i.e., a first VS) where the client instance is located, and the first VS forwards the data message to the VS (i.e., a second VS) where the NFV instance is located based on pre-configured routing information. When the data message reaches a second VS where the NFV instance is located, the second VS judges whether a plurality of NFV instances are processed together, if so, a target path is selected from a plurality of paths through a hash algorithm, and the target path is forwarded to the corresponding NFV instance for processing; when a path or NFV instance fails, the path is automatically deleted, thereby achieving a high availability capability of ECMP, a process called the ENI-Bonding process.
The general forwarding flow after the target path is selected is as follows: firstly judging whether the data message is the first data message in a data stream, if so, performing software forwarding processing by a CPU of a second VS, establishing session information of the data stream, wherein five-tuple and outlet port information of the data stream are recorded in the session information, the outlet port information corresponds to a target NFV instance, and directly forwarding the established session information to the target NFV instance by directly searching for the subsequent data message in the data stream.
In the above process, there may be multiple client instances of different tenants requesting access to the same NFV instance, the data messages of different tenants coming from different ENIs, as shown in fig. 1, the second VS receiving the data messages from different ENIs; further, in order for the NFV instance to distinguish data messages of different tenants, the second VS maps to one VLAN ID according to the source VPC ID in the data message, as shown in fig. 1, and distinguishes the data messages of different tenants through different VLAN IDs, which is called as an ENI-trunk process. The number of the encs supported by the second VS determines the number of VLANs, that is, the number of NFV instances that can access different tenants.
From the processing procedure of the data message, it can be seen that, from the client instance to the NFV instance, the middle needs to be processed by a second VS, and the network IO capability of the second VS directly affects the number of tenants that can be accessed by the NFV network element, where the network IO capability of the second VS mainly refers to the ENI specification and session specification that can be supported by the second VS. Because the cloud computing instance is developed for an IT type application, the IT type application is a computing type application, that is, the requirements on a central processing unit (Central Processing Unit, CPU) and memory resources are relatively high, but the network communication requirement is low, the cloud computing instance is mainly matched with the computing type application, so that the end specification and session specification supported by the VS for providing data forwarding service for the cloud computing instance are relatively low, the end specification supported by the currently mainstream VS is about several tens of thousands, the session specification is about 100 thousands, even if the end specification supported by the VS with the maximum network capability is about 1000, the number of users which can be processed by the actual NFV instance can be several tens of thousands, and the number of streams (sessions) can reach several hundred million levels, therefore, the difference between the network IO capability of the VS and the capability of the NFV instance can severely restrict the NFV instance by 10 times or even one hundred times, which can cause the resource waste of the NFV instance, and limit the user access specification of the NFV instance.
In view of the foregoing, an embodiment of the present application provides a new NFV access system, as shown in fig. 2, where the NFV access system includes: a client VPC21, a service VPC22 and a first gateway device 23 interconnected between the client VPC21 and the service VPC 22. The description about the client VPC21 and the service VPC22 is the same as that of the client VPC11 and the service VPC12 in the foregoing embodiment, and will not be repeated here.
In this embodiment, the client VPC21 includes at least a client instance, a first VS capable of providing a data forwarding service for the client instance, and an ENI of an NFV instance mounted in the service VPC 22; the client side instance can initiate access to the NFV instance through the ENI mounted to the NFV instance, and a data message for accessing the NFV instance is forwarded to the NFV instance through the first VS. In this embodiment, unlike the access process in the system shown in fig. 1, the data packet of the client instance accessing the NFV instance through the first VS no longer reaches the second VS directly from the first VS, but the first gateway device 23 is responsible for intercepting the data packet of the client instance accessing the NFV instance through the first VS, after intercepting the data packet, the first gateway device 23 performs inner tunnel encapsulation on the data packet by using the tenant information of the client instance as inner tunnel information, performs outer tunnel encapsulation on the packet after the inner tunnel encapsulation by using the identity information of the first gateway device, and sends the packet after the outer tunnel encapsulation to the second VS, so that the second VS is forwarded to the NFV instance, thereby implementing the access of the NFV instance. The tenant information to which the client instance belongs may be any information capable of uniquely identifying the tenant to which the client instance belongs, for example, but not limited to: the ID of the client VPC to which the client instance belongs, the ID of the tenant, and the like.
In this embodiment, a first gateway device is disposed between a client VPC and a service VPC, and is responsible for intercepting a data packet of a client instance requesting access to an NFV instance, and performing two-layer tunnel encapsulation on the data packet, and encapsulating tenant information of the client instance as inner layer tunnel information to an inner layer, so that the identity of the first gateway device is presented to the outside, the second VS where the NFV instance is located does not process the inner layer tunnel information any more, tenant information of the client instance is not visible, the user access to the NFV instance is not limited by the ENI specification supported by the second VS, and more tenants are allowed to access to the NFV instance, thereby realizing an NFV instance with a larger specification.
In the embodiment of the present application, the implementation manner of the first gateway device is not limited, and the manner in which the client instance intercepts the data packet of the NFV instance accessed by the first VS may also be different according to the different implementation manners of the first gateway device. The following is illustrative:
in an alternative embodiment A1, each client VPC is associated with a conventional gateway device, which is referred to as a VPC gateway device (VGW) for convenience of distinguishing, and the VGW is responsible for maintaining and issuing routing information corresponding to each client instance in the client VPC. In the conventional scheme, when a data message of a client instance reaches a first VS, the first VS judges whether route information corresponding to the data message exists locally, if not, the data message is sent to a VGW, the VGW forwards the data message according to route information maintained in advance, the route information corresponding to the data message is sent to the first VS, and a subsequent message is forwarded by the first VS according to the sent route information. In this embodiment, the VGW associated with the client VPC may be modified to implement a new gateway device, i.e., the first gateway device. In this embodiment, the VGW is improved for the forwarding function of the access NFV instance, where the VGW forwards the data packets of the access NFV instance uniformly, and the VGW does not issue the routing information required for accessing the NFV instance to the first VS.
Based on the above, when the client instance accesses the NFV instance, the data message may be sent to the first VS through the ENI corresponding to the NFV instance, and the first VS performs tunnel encapsulation on the data message sent by the client instance to obtain the first tunnel message. In this embodiment, the tunnel information in the various tunnel messages at least includes a source address, a destination address, and Virtual Network Identifier (VNI) information, where the source address indicates a source end of the tunnel, the destination address indicates a destination end of the tunnel, and the VNI information is a network identifier and may be used to indicate different information in different tunnel messages. In the tunnel information of the first tunnel message, the source address is the IP address of the first VS, the destination address is the IP address of the first gateway device, and the VNI information indicates tenant information to which the client instance belongs.
Since the first VS locally has no routing information corresponding to the client instance, the first VS sends the first tunnel message to the first gateway device, i.e., VGW. The first gateway device, that is, the VGW receives the first tunnel message sent by the first VS, and the act of receiving the first tunnel message may be considered as interception of the data message of the client instance accessing the NFV instance through the first VS; after receiving the first tunnel message, forwarding is not performed like the conventional VGW, but tenant information of the client instance is obtained from tunnel information of the first tunnel message, the tenant information of the client instance is used as inner-layer tunnel information to perform inner-layer tunnel encapsulation on the data message, the identity information of the first gateway device is used for performing outer-layer tunnel encapsulation on the message subjected to the inner-layer tunnel encapsulation, and the message subjected to the outer-layer tunnel encapsulation is sent to the second VS, so that the second VS forwards the data to the NFV instance, and the access of the NFV instance is realized. In this embodiment, the first gateway device is a modified VGW.
In another alternative embodiment A2, the first gateway device may be a newly added gateway device, which is mainly responsible for interception and two-layer tunneling encapsulation of data packets of the client instance accessing the NFV instance, which may be referred to as NFV gateway device (i.e., NFV-GW). As shown in fig. 3, the NVF access system further includes: a second gateway device 24, which is a conventional gateway device associated with the client VPC, which is referred to as a VPC gateway device (VGW) for convenience of distinction. For ease of distinction, in fig. 3, the second gateway device is VGW and the first gateway device is NFV-GW as an example. It should be noted that, the client VPC and the second gateway device 24 may have a one-to-one correspondence (i.e., one client VPC is associated with one second gateway device 24 as shown in fig. 4), or may have a many-to-one correspondence (i.e., multiple clients VPC are associated with the same second gateway device 24 as shown in fig. 3). Wherein the second gateway device (i.e. VGW) is interconnected with the first VS on the one hand and with the first gateway device (i.e. NFV-GW) on the other hand, and the first gateway device (i.e. NFV-GW) is interconnected with the second VS. In this embodiment, not only the first gateway device is newly added, but also a function of the second gateway device is improved, and the second gateway device is mutually matched with the first VS, so that in the process that the client instance accesses the NFV instance, the first gateway device is assisted to complete interception of a data message from the client instance to the NFV instance.
Based on the above, when the client instance accesses the NFV instance, the data message may be sent to the first VS through the ENI corresponding to the NFV instance, and the first VS performs tunnel encapsulation on the data message sent by the client instance to obtain the first tunnel message. For the description of the first tunnel message, reference is made to the above, and no further description is given here. Since the first VS does not have the routing information corresponding to the client instance locally, the first VS sends the first tunnel message to the second gateway device, i.e., VGW.
The second gateway device, namely VGW, receives a first tunnel message sent by the first VS, acquires tenant information of the client instance from tunnel information of the first tunnel message, repackages the first tunnel message into a second tunnel message, and sends the second tunnel message and tenant information of the client instance to the first gateway device, namely NFV-GW. In this embodiment, the second gateway device also does not issue, to the first VS, routing information required for accessing the NFV instance, and all data packets for accessing the NFV instance are forwarded through the second gateway device and the first gateway device. The tunnel information in the second tunnel message at least includes a source address, a destination address and VNI information, where the source address is an IP address of the second network device (i.e., VGW), the destination address is an IP address of the first gateway device, and the VNI information is tenant information to which the client instance belongs. In this embodiment, the manner in which the second gateway device (i.e., VGW) sends the tenant information to which the client instance belongs to the first gateway device (i.e., NFV-GW) is not limited, and for example, the tenant information to which the client instance belongs may be sent to the first gateway device (i.e., NFV-GW) through VNI information in tunnel information of the second tunnel message, or the tenant information to which the client instance belongs may be sent to the first gateway device (i.e., NFV-GW) through a control plane message.
For the first gateway device (i.e., NFV-GW), the second tunnel message sent by the second gateway device (i.e., VGW) and tenant information to which the client instance belongs may be received, where the act of receiving the second tunnel message may be considered as interception of a data message of the client instance accessing the NFV instance via the first VS. Based on the above, after receiving the second tunnel message, the first gateway device can parse the data message therefrom, and take the tenant information of the client instance as the inner layer tunnel information to perform inner layer tunnel encapsulation on the data message, and perform outer layer tunnel encapsulation on the message after the inner layer tunnel encapsulation by using the identity information of the first gateway device, and send the message after the outer layer tunnel encapsulation to the second VS, so that the second VS forwards the data message to the NFV instance, thereby realizing the access of the NFV instance. In this embodiment, the first gateway device is an NFV-GW, as opposed to a modified VGW.
Whichever implementation manner is adopted by the first gateway device, a manner in which the first gateway device performs inner layer tunnel encapsulation on the data packet by using tenant information to which the client instance belongs as inner layer tunnel information includes: and respectively taking the address information of the first gateway equipment and the address information of the NFV instance as a source address and a destination address of the inner-layer tunnel information, taking tenant information of the client instance as VNI information of the inner-layer tunnel information, and performing inner-layer tunnel encapsulation on the data message. Correspondingly, a manner that the first gateway device performs outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel by using the identity information of the first gateway device includes: and taking the address information of the first gateway equipment and the address information of the second VS as the source address and the destination address of the outer layer tunnel information, taking the identification information of the first gateway equipment as the VNI information of the outer layer tunnel information, and carrying out outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel.
Further alternatively, whether the inner layer tunnel encapsulation or the outer layer tunnel encapsulation described above, the following tunnel protocols may be employed, but are not limited to: generic network virtualization encapsulation (Generic Network Virtualization Encapsulation, GENEVE), or virtual extended local area network (Virtual Extensible Local Area Network, VXLAN), or IPv6 based segment routing (Segment Routing IPv6, SRv 6). The tunnel protocols used by the inner tunnel encapsulation and the outer tunnel encapsulation may be the same or different, which is not limited.
In some alternative embodiments, in order to reduce intrusion of the first gateway device (i.e. NFV-GW) into the client instance, the ENI of the cloud computing instance may be simulated for the first gateway device, that is, a simulated ENI may be configured for the first gateway device, where the simulated ENI may also be referred to as a fake-ENI, and a MAC address corresponding to the fake-ENI is configured on the first VS, so as to implement encapsulation of tenant information by the first gateway device through the fake-ENI, that is, identification information of the first gateway device may be simulated ENI information of the first gateway device. Based on this, in connection with the system shown in fig. 3, the detailed access procedure of the NFV instance provided in the embodiment of the present application is as follows:
Specifically, in order to reduce modification to the tenant side, the function of the client instance remains unchanged, when the client instance needs to access the NFV instance, the client instance normally sends out a data message, the data message reaches the first VS, the first VS searches the local routing table to find that no routing information corresponding to the data message exists, and then forwards the data message to the VGW corresponding to the client VPC. Specifically, the first VS performs tunnel encapsulation on the data packet according to the locally configured fake-ENI corresponding MAC address to obtain a first tunnel packet with the source address being the IP address of the first VS and the destination address being the IP address of the VGW, and sends the first tunnel packet to the VGW, where the VNI field in the first tunnel packet carries tenant information to which the client instance belongs, and in addition, the first tunnel packet also carries the fake-ENI corresponding MAC address. In this embodiment, the VGW does not issue routing information to the first VS, so that all data packets sent from the client instance to the NFV instance are sent to the VGW.
The VGW locally pre-configures a specific forwarding table entry for the visiting NFV instance, the next hop in the forwarding table entry pointing to the NFV-GW, so that all data messages visiting the NFV instance will be forwarded to the NFV-GW. Specifically, the VGW parses the data packet from the first tunnel packet, and re-tunnels the data packet to obtain a second tunnel packet with the source address being the IP address of the VGW and the destination address being the NFV-GW, and sends the second tunnel packet to the NFV-GW. Here, the data packets for accessing other cloud computing instances or other service VPCs may be processed according to a conventional flow, which is not limited. The VGW may also send tenant information to which the client instance belongs to the NFV-GW through a control plane message.
After receiving the second tunnel message, the NFV-GW analyzes the data message, and performs two-layer tunnel encapsulation, namely inner-layer tunnel encapsulation and outer-layer tunnel encapsulation, on the data message. The inner layer tunnel encapsulation is used for encapsulating tenant information of the client instance, and the outer layer tunnel encapsulation is used for encapsulating tunnel information required for forwarding the data message. In the present embodiment, the tunneling technique used for the tunnel encapsulation is not limited, and for example, whether the inner layer tunnel encapsulation or the outer layer tunnel encapsulation may be used, but is not limited to: GENEVE, VXLAN or SRv6, whatever tunneling protocol is capable of identifying multiple tenants is suitable for the embodiments of the present application. The source address of the inner layer tunnel information is the IP address of the NFV-GW, the destination address is the IP address of the NFV instance to be accessed, and the inner layer VNI information is tenant information of the client instance; the source address of the outer layer tunnel information is the IP address of the NFV-GW, the destination address is the IP address of the second VS, and the outer layer VNI information is the wake-ENI of the NFV-GW.
In this embodiment, the NFV-GW implements the ENI-bonding with the second VS by using the fake-ENI, that is, the second VS allocates an interface bound with the fake-ENI to the NFV-GW so as to facilitate communications between the two, and for convenience of description, the interface is referred to as an ENI-bonding interface. Based on the above, the NFV-GW sends the packet encapsulated by the inner and outer two-layer tunnels to the second VS through an ENI-bonding interface between the packet and the second VS, and the second VS processes the packet encapsulated by the two-layer tunnels.
And the second VS processes the outer layer tunnel information only, judges whether the message is the first message of the data stream according to the outer layer tunnel information, if so, the CPU of the second VS performs software forwarding processing, establishes a forwarding session (session) of the data stream, records a quintuple of the data stream (the quintuple is a quintuple in the outer layer tunnel information) and outlet port information, the outlet port information corresponds to a target NFV instance, and the established session information is searched for by a subsequent message in the data stream and is directly forwarded to the target NFV instance.
In this embodiment, by adding an NFV-GW, the NFV-GW is matched with a VGW associated with a client VPC, and by adding a layer of tunnel encapsulation, tenant information to which a client instance belongs is encapsulated to an inner layer, from a second VS perspective, it is seen that a fake-ENI corresponding to the NFV-GW does not process inner layer tunnel information any more, so even if an ENI-bonding technology is adopted, only one ENI is needed for the second VS, one VLAN ID is needed, session information only records five-tuple corresponding to an outer layer tunnel, and the five-tuple is unchanged in the whole access process, which greatly reduces requirements of different tenants on the ENI and session specification supported by the second VS when accessing the NFV instance, and effectively solves constraints of the second VS on the ENI specification and the session specification; from the angle of the NFV instance, the second VS only sees the NFV-GW, so that a single tenant and single stream are presented, the problem that the NFV instance is constrained by the IO capability of the second VS network is well solved, and the NFV instance is beneficial to accessing more users.
The following describes in detail the NFV access procedure provided in the embodiment of the present application with reference to the application scenario and system architecture shown in fig. 4, and the packet encapsulation procedure shown in fig. 4:
in fig. 4, taking two client VPCs as an example, each client VPC includes a client ECS and a first VS, and each client VPC accesses a VGW; the two clients VPC are respectively marked as a first client VPC and a second client VPC, the two VGWs are respectively marked as a first VGW and a second VGW, and the two VGWs are respectively interconnected with the NFV-GW. The NFV-GW connects two service VPCs, each including an NFV ECS and a second VS, the two service VPCs being respectively denoted as a first service VPC and a second service VPC, the NFV ECS in the second service VPC being implemented based on the ECS, the NFV ECS in the first service VPC being implemented based on the FPGA, but is not limited thereto. The client ECS is an example of an ECS for an instance of a client, and similarly, the NFV ECS is an ECS for carrying an NFV network element, and is an example of an ECS for an instance of an NFV.
In order to be compatible with the ENI, the NFV-GW has an analog ENI, namely a fake-ENI, which is deployed in each client VPC, directed to the NFV-GW, without changing the processing logic of the first VS. The NFV-GW may have different fake-ENIs corresponding to the NFV ECS in different serving VPCs for implementing ECMP.
The client ECS sends out a data message for accessing the NFV ECS, as shown in fig. 4, where a message format of the data message includes: a payload portion, a TCP/UDP header, IP header information (IP hdr), and Ethernet header information (Eth hdr), the data packet reaching the first VS.
The first VS performs tunnel encapsulation to obtain a first tunnel message, and as shown in fig. 4, a message format of the first tunnel message includes: a payload portion, a TCP/UDP header, IP header information (IP hdr), VXLAN tunnel information (tunnel encapsulation is exemplified by VXLAN, but not limited to), a MAC address corresponding to the rake-ENI, and ethernet header information (ethhdr), and the first tunnel packet arrives at the first or second VGW. The first VS is locally preconfigured with a MAC address corresponding to the rake-ENI, but cannot determine an Identity (ID) of the rake-ENI. The source address of the VXLAN tunnel information is the IP address of the first VS, the destination address is the IP address of the first or second VGW, and the VNI information is tenant information to which the client ECS belongs.
The first or the second VGW analyzes the data message from the first tunnel message and re-tunnel packages the data message to obtain a second tunnel message. As shown in fig. 4, the message format of the second tunnel message includes: payload (payload) portion, TCP/UDP header, IP header information (IP hdr), MAC address corresponding to the rake-ENI, VXLAN tunnel information (tunnel encapsulation is exemplified by VXLAN but not limited thereto), and ethernet header information (Eth hdr), the second tunnel packet reaching the NFV-GW. The source address of the VXLAN tunnel information is the IP address of the first or the second VGW, the destination address is the IP address of the NFV-GW, and the VNI information is tenant information of the client ECS.
An NFV-GW is configured with a MAC-make-ENI conversion table, in which an ID of a make-ENI corresponding to a MAC address is recorded, and in fig. 4, an example is illustrated in which an ID of a make-ENI corresponding to a MAC address 0:0:0:0:0:1 is 1 and an ID of a make-ENI corresponding to a MAC address 0:0:0:0:2 is 2. An ECMP table of the fake-ENI is also configured on the NFV-GW, in which NFV ECSs corresponding to different fake-ENI IDs are recorded, and in fig. 4, an example is shown in which ECMP table of the fake-ENI ID 1 corresponding to ECS IP1 and fake-ENI ID 2 corresponding to FPGA IP2 is recorded. Wherein, ECS IP1 represents NFV ECS based on ECS in the second service VPC, and FPGA IP2 represents NFV ECS based on FPGA in the first service VPC.
In addition, a forwarding table of the fake-ENI is also configured on the NFV-GW, and egress encapsulation information corresponding to different fake-ENI IDs is recorded in the forwarding table, and in fig. 4, tunnel encapsulation is performed by VXLAN for the first VGW corresponding to the fake-ENI ID 1 and tunnel encapsulation is performed by VXLAN for the first VGW corresponding to the fake-ENI ID 2. In the forwarding table shown in fig. 4, the tunnel protocol adopted by the outer tunnel encapsulation is referred to, and the tunnel protocol adopted by the inner tunnel encapsulation is not shown in the table, and may be recorded in other manners, or a default protocol is adopted. In the embodiment of the application, taking a GENEVE protocol as an example for inner layer tunnel encapsulation.
In addition, an IP address mapping table of the fake-ENI is also configured on the NFV-GW, and the IP address information of the NFV ECS and the second VS corresponding to different fake-ENI IDs are recorded in the mapping table. In fig. 4, the IP address of the second VS in the second service VPC corresponding to the fake-ENI ID 1 recorded in the mapping table is 1.1.1.1, and the IP address of the nfv ECS (i.e., ECS IP 1) is 2.1.1.1; the fake-ENI ID 2 is illustrated as corresponding to the IP address of the second VS in the first service VPC being 1.2.2.2, and the IP address of the nfv ECS (i.e., FPGA IP 2) being 2.2.2.2.
Here, the four information tables may be realized as one information table, or may be two or three information tables, and the information tables may be other than information tables, or may be other ways in which the correspondence relationship or the mapping relationship can be recorded, which is not limited.
Based on the corresponding relation or the mapping relation, the NFV-GW may query the MAC-fake-ENI conversion table according to the MAC address corresponding to the fake-ENI contained in the second tunnel packet, so as to obtain a fake-ENI ID corresponding to the MAC address, so as to implement ECMP; and then, inquiring an ECMP table of the fake-ENI, a forwarding table of the fake-ENI and an IP address mapping table of the fake-ENI according to the determined fake-ENI ID, determining corresponding tunnel encapsulation information, an IP address corresponding to the NFV ECS and an IP address corresponding to the second VS, and completing inner and outer two-layer tunnel encapsulation according to the information so as to obtain a third tunnel message. As shown in fig. 4, the message format obtained after the inner layer tunnel encapsulation includes: payload (payload) section, TCP/UDP header, IP header information (IP hdr), GENEVE tunnel information (inner layer tunnel information), and ethernet header information (Eth hdr). The message format of the third tunnel message obtained after further packaging by the outer tunnel comprises: payload, TCP/UDP header, IP header information (IP hdr), GENEVE tunnel information (inner layer tunnel information), VXLAN tunnel information (outer layer tunnel information), and ethernet header information (Eth hdr), the third tunnel message reaching the second VS. The source address of the VXLAN tunnel information is the IP address of the NFV-GW, the destination address is the IP address information of the second VS corresponding to the fake-ENI in the IP address mapping table, and the VNI information is the VNI corresponding to the NFV-GW; correspondingly, the source address of the GENEVE tunnel information is the IP address of the NFV-GW, the destination address is the IP address of the corresponding NFV ECS in the IP address mapping table of the fake-ENI, and the VNI information is tenant information of the client ECS.
After the second VS removes the outer layer tunnel information, the message is sent to the corresponding NFV ECS, the NFV ECS can determine tenant information of the client ECS initiating the access request according to the GENEVE tunnel information, and the message is processed according to the NFV service provided by the NFV ECS.
In this embodiment, an NFV-GW is added to cooperate with VGW, under the condition that the tenant end is not affected, the flow of the tenant is first led to the NFV-GW, a layer of tunnel encapsulation is added, information such as the tenant is encapsulated and identified in the tunnel, and a single user and a single flow are presented to VS of the NFV ECS, so that the problem that the NFV ECS is constrained by the VS network IO capability can be well solved, the number of tenants accessed by the NFV ECS can be increased, and the implementation of the NFV ECS with a larger scale is facilitated.
Fig. 5 is a flow chart of an NFV access method provided in an embodiment of the present application. The method is applied to the first gateway device, as shown in fig. 5, and includes:
501. intercepting a data message of an NFV instance accessed by a client instance through a first virtual switch VS;
502. taking tenant information of the client instance as inner layer tunnel information to perform inner layer tunnel encapsulation on the data message;
503. carrying out outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel by using the identity information of the first gateway equipment;
504. And sending the message packaged by the outer layer tunnel to a second VS corresponding to the NFV instance, so that the second VS is forwarded to the NFV instance, and the access of the NFV instance is realized.
In an alternative embodiment, the intercepting the data packet of the NFV instance by the client instance through the first virtual switch VS includes: and receiving a first tunnel message sent by the first VS, wherein the first tunnel message is obtained by carrying out tunnel encapsulation on the data message by the first VS, and the tunnel information of the first tunnel message comprises tenant information of the client instance.
In an alternative embodiment, the intercepting the data packet of the NFV instance by the client instance through the first virtual switch VS includes: and receiving a second tunnel message and tenant information of the client instance, which are sent by the second gateway device, wherein the second tunnel message is obtained by performing tunnel encapsulation on a first tunnel message by the second gateway device, the first tunnel message is obtained by performing tunnel encapsulation on a data message by a first VS, and the tunnel information of the first tunnel message comprises the tenant information of the client instance.
In an optional embodiment, the performing inner layer tunnel encapsulation on the data packet by using the tenant information to which the client instance belongs as inner layer tunnel information includes: and respectively taking the address information of the first gateway equipment and the address information of the NFV instance as a source address and a destination address of the inner-layer tunnel information, taking tenant information of the client instance as Virtual Network Identification (VNI) information of the inner-layer tunnel information, and performing inner-layer tunnel encapsulation on the data message.
In an optional embodiment, the performing outer layer tunnel encapsulation on the packet encapsulated by the inner layer tunnel with the identity information of the first gateway device includes: and taking the address information of the first gateway equipment and the address information of the second VS as the source address and the destination address of the outer layer tunnel information, taking the identification information of the first gateway equipment as the VNI information of the outer layer tunnel information, and carrying out outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel.
In an alternative embodiment, the inner tunnel enclosure or the outer tunnel enclosure uses GENEVE, VXLAN, or SRv6, and the inner tunnel enclosure uses the same or different technology than the outer tunnel enclosure.
In an optional embodiment, the tenant information to which the client instance belongs is an ID of the client VPC or an ID of the tenant, and the identification information of the first gateway device is analog ENI information of the first gateway device, that is, an ID of the fake-ENI, or a VNI corresponding to the first gateway device.
In an alternative embodiment, the method further comprises: acquiring an MAC address corresponding to a fake-ENI of a first gateway device from a first tunnel message or a second tunnel message, determining the ID of the fake-ENI corresponding to the MAC address in the first tunnel message or the second tunnel message according to a conversion table of the MAC address and the ID of the fake-ENI, and determining corresponding tunnel encapsulation information, an IP address corresponding to NFV ECS and an IP address corresponding to a second VS according to the determined ID of the fake-ENI; and sequentially carrying out inner layer tunnel encapsulation and outer layer tunnel encapsulation on the data message according to the corresponding tunnel encapsulation information, the IP address corresponding to the NFV ECS and the IP address corresponding to the second VS. The inner layer tunnel encapsulation of the data message mainly refers to taking an IP address of the first gateway device as a source address in inner layer tunnel information, an IP address corresponding to the NFV ECS as a destination address of the inner layer tunnel information, and tenant information to which the client instance belongs as VNI information in the inner layer tunnel information. The outer layer tunnel encapsulation of the message encapsulated by the inner layer tunnel mainly refers to taking the IP address of the first gateway device as a source address in outer layer tunnel information, taking the IP address corresponding to the second VS as a destination address of the outer layer tunnel information, taking the VNI of the first gateway device as VNI information in the outer layer tunnel information, and performing outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel.
Fig. 6 is a flow chart of another NFV access method provided in an embodiment of the present application. The method is applied to the second gateway device, as shown in fig. 6, and includes:
601. receiving a first tunnel message sent by a first VS, wherein the first tunnel message is obtained by the first VS performing tunnel encapsulation on a data message of a client instance accessing an NFV instance, and the tunnel information of the first tunnel message comprises tenant information of the client instance;
602. the first tunnel message is repackaged into a second tunnel message, tenant information of the second tunnel message and the client instance is sent to the first gateway device, so that the first gateway device can conduct inner tunnel encapsulation on the data message by taking the tenant information of the client instance as inner tunnel information, conduct outer tunnel encapsulation on the message packaged by the inner tunnel with identity information of the first gateway device, and then forward the message to the NFV instance through the second VS, and access of the NFV instance is achieved.
For detailed implementation and technical effects of each step in each method embodiment, reference may be made to the description of the foregoing embodiment, which is not repeated herein.
It should be noted that, in some of the above embodiments and the flows described in the drawings, a plurality of operations appearing in a specific order are included, but it should be clearly understood that the operations may be performed out of the order in which they appear herein or performed in parallel, the sequence numbers of the operations such as 501, 502, etc. are merely used to distinguish between the various operations, and the sequence numbers themselves do not represent any execution sequence. In addition, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first" and "second" herein are used to distinguish different messages, devices, modules, etc., and do not represent a sequence, and are not limited to the "first" and the "second" being different types.
Fig. 7 is a schematic structural diagram of an NFV access device according to an embodiment of the present application. As shown in fig. 7, the apparatus includes: an interception module 71, an inner encapsulation module 72, an outer encapsulation module 73 and a transmission module 74.
The interception module 71 is configured to intercept a data packet of the client instance accessing the NFV instance via the first virtual switch VS. The inner layer encapsulation module 72 is configured to perform inner layer tunnel encapsulation on the data packet by using tenant information that the client instance belongs to as inner layer tunnel information. And the outer layer encapsulation module 73 is configured to perform outer layer tunnel encapsulation on the packet encapsulated by the inner layer tunnel with the identity information of the first gateway device. And the sending module 74 is configured to send the message encapsulated by the outer layer tunnel to a second VS corresponding to the NFV instance, so that the second VS is forwarded to the NFV instance, and access of the NFV instance is achieved.
In an alternative embodiment, the interception module 71 is specifically configured to: and receiving a first tunnel message sent by the first VS, wherein the first tunnel message is obtained by carrying out tunnel encapsulation on the data message by the first VS, and the tunnel information of the first tunnel message comprises tenant information of the client instance.
In an alternative embodiment, the interception module 71 is specifically configured to: and receiving a second tunnel message and tenant information of the client instance, which are sent by the second gateway device, wherein the second tunnel message is obtained by performing tunnel encapsulation on a first tunnel message by the second gateway device, the first tunnel message is obtained by performing tunnel encapsulation on a data message by a first VS, and the tunnel information of the first tunnel message comprises the tenant information of the client instance.
In an alternative embodiment, the inner package module 72 is specifically configured to: and respectively taking the address information of the first gateway equipment and the address information of the NFV instance as a source address and a destination address of the inner-layer tunnel information, taking tenant information of the client instance as Virtual Network Identification (VNI) information of the inner-layer tunnel information, and performing inner-layer tunnel encapsulation on the data message.
In an alternative embodiment, the outer packaging module 73 is specifically configured to: and taking the address information of the first gateway equipment and the address information of the second VS as the source address and the destination address of the outer layer tunnel information, taking the identification information of the first gateway equipment as the VNI information of the outer layer tunnel information, and carrying out outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel.
In an alternative embodiment, the inner tunnel enclosure or the outer tunnel enclosure uses GENEVE, VXLAN, or SRv6, and the inner tunnel enclosure uses the same or different technology than the outer tunnel enclosure.
In an optional embodiment, the tenant information to which the client instance belongs is an ID of the client VPC or an ID of the tenant, and the identification information of the first gateway device is analog ENI information of the first gateway device or VNI corresponding to the first gateway device.
Fig. 8 is a schematic structural diagram of another NFV access device according to an embodiment of the present application. As shown in fig. 8, the apparatus includes: a receiving module 81, a packaging module 82 and a transmitting module 83.
The receiving module 81 is configured to receive a first tunnel packet sent by the first virtual switch VS, where the first tunnel packet is obtained by performing tunnel encapsulation on a data packet of the client instance accessing the NFV instance by the first VS, and tunnel information of the first tunnel packet includes tenant information that the client instance belongs to. Encapsulation module 82 is configured to repackage the first tunnel packet into a second tunnel packet. The sending module 83 is configured to send the second tunnel packet and tenant information that the client instance belongs to the first gateway device, so that the first gateway device encapsulates the data packet in an inner layer tunnel with the tenant information that the client instance belongs to as inner layer tunnel information, encapsulates the packet encapsulated in the inner layer tunnel with identity information of the first gateway device, and forwards the encapsulated packet to the NFV instance through the second VS, thereby implementing access of the NFV instance.
For detailed implementation and technical effects of each module in the above embodiments of the apparatus, reference may be made to the description of the foregoing embodiments, which are not repeated herein.
Fig. 9 is a schematic structural diagram of a gateway device according to an embodiment of the present application. The gateway device may be implemented as a first gateway device, as shown in fig. 9, comprising: a memory 91 and a processor 92.
The memory 91 is used for storing computer programs and may be configured to store various other data to support operations on the gateway device. Examples of such data include instructions, messages, pictures, videos, etc. for any application or method operating on the gateway device.
A processor 92 coupled to the memory 91 for executing the computer program in the memory 91 for: intercepting a data message of an NFV instance accessed by a client instance through a first virtual switch VS; taking tenant information of the client instance as inner layer tunnel information to perform inner layer tunnel encapsulation on the data message; carrying out outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel by using the identity information of the first gateway equipment; and sending the message packaged by the outer layer tunnel to a second VS corresponding to the NFV instance, so that the second VS is forwarded to the NFV instance, and the access of the NFV instance is realized.
In an alternative embodiment, the processor 92 is specifically configured to, when intercepting a data packet of a client instance accessing an NFV instance via the first virtual switch VS: and receiving a first tunnel message sent by the first VS, wherein the first tunnel message is obtained by carrying out tunnel encapsulation on the data message by the first VS, and the tunnel information of the first tunnel message comprises tenant information of the client instance.
In an alternative embodiment, the processor 92 is specifically configured to, when intercepting a data packet of a client instance accessing an NFV instance via the first virtual switch VS: and receiving a second tunnel message and tenant information of the client instance, which are sent by the second gateway device, wherein the second tunnel message is obtained by performing tunnel encapsulation on a first tunnel message by the second gateway device, the first tunnel message is obtained by performing tunnel encapsulation on a data message by a first VS, and the tunnel information of the first tunnel message comprises the tenant information of the client instance.
In an alternative embodiment, when the tenant information to which the client instance belongs is used as the inner layer tunnel information to perform inner layer tunnel encapsulation on the data packet, the processor 92 is specifically configured to: and respectively taking the address information of the first gateway equipment and the address information of the NFV instance as a source address and a destination address of the inner-layer tunnel information, taking tenant information of the client instance as Virtual Network Identification (VNI) information of the inner-layer tunnel information, and performing inner-layer tunnel encapsulation on the data message.
In an alternative embodiment, the processor 92 is specifically configured to, when performing the outer tunnel encapsulation on the packet that is encapsulated by the inner tunnel with the identity information of the first gateway device: and taking the address information of the first gateway equipment and the address information of the second VS as the source address and the destination address of the outer layer tunnel information, taking the identification information of the first gateway equipment as the VNI information of the outer layer tunnel information, and carrying out outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel.
In an alternative embodiment, the inner tunnel enclosure or the outer tunnel enclosure uses GENEVE, VXLAN, or SRv6, and the inner tunnel enclosure uses the same or different technology than the outer tunnel enclosure.
In an optional embodiment, the tenant information to which the client instance belongs is an ID of the client VPC or an ID of the tenant, and the identification information of the first gateway device is analog ENI information of the first gateway device or VNI corresponding to the first gateway device.
In an alternative embodiment, the first tunnel message or the second tunnel message further includes a MAC address corresponding to the rake-ENI of the first gateway device, and the processor 92 is further configured to: acquiring an MAC address corresponding to a fake-ENI of a first gateway device from a first tunnel message or a second tunnel message, determining the ID of the fake-ENI corresponding to the MAC address in the first tunnel message or the second tunnel message according to a conversion table of the MAC address and the ID of the fake-ENI, and determining corresponding tunnel encapsulation information, an IP address corresponding to NFV ECS and an IP address corresponding to a second VS according to the determined ID of the fake-ENI; and sequentially carrying out inner layer tunnel encapsulation and outer layer tunnel encapsulation on the data message according to the corresponding tunnel encapsulation information, the IP address corresponding to the NFV ECS and the IP address corresponding to the second VS. The inner layer tunnel encapsulation of the data message mainly refers to taking an IP address of the first gateway device as a source address in inner layer tunnel information, an IP address corresponding to the NFV ECS as a destination address of the inner layer tunnel information, and tenant information to which the client instance belongs as VNI information in the inner layer tunnel information. The outer layer tunnel encapsulation of the message encapsulated by the inner layer tunnel mainly refers to taking the IP address of the first gateway device as a source address in outer layer tunnel information, taking the IP address corresponding to the second VS as a destination address of the outer layer tunnel information, taking the VNI of the first gateway device as VNI information in the outer layer tunnel information, and performing outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel.
As shown in fig. 9, the gateway device further includes: a communication component 93, a power supply component 94, and the like. Only some of the components are schematically shown in fig. 9, which does not mean that the gateway device only comprises the components shown in fig. 9.
The embodiment of the present application further provides a gateway device, where the structure of the gateway device is the same as or similar to that of the gateway device shown in fig. 9, and will not be described again. The gateway device of the present embodiment differs from the gateway device shown in fig. 9 in that: the functions implemented by a processor executing a computer program stored in memory are different. The gateway device of the present embodiment may implement the following actions by executing the computer program stored in the memory by the processor: receiving a first tunnel message sent by a first VS, wherein the first tunnel message is obtained by the first VS performing tunnel encapsulation on a data message of a client instance accessing an NFV instance, and the tunnel information of the first tunnel message comprises tenant information of the client instance; the first tunnel message is repackaged into a second tunnel message, tenant information of the second tunnel message and the client instance is sent to the first gateway device, so that the first gateway device can conduct inner tunnel encapsulation on the data message by taking the tenant information of the client instance as inner tunnel information, conduct outer tunnel encapsulation on the message packaged by the inner tunnel with identity information of the first gateway device, and then forward the message to the NFV instance through the second VS, and access of the NFV instance is achieved.
Accordingly, embodiments of the present application also provide a computer-readable storage medium storing a computer program, which when executed by a processor, causes the processor to implement the steps of the method shown in fig. 5 or 6.
Accordingly, embodiments of the present application also provide a computer program product comprising a computer program/instructions which, when executed by a processor, cause the processor to carry out the steps of the method shown in fig. 5 or 6.
The Memory may be implemented by any type or combination of volatile or non-volatile Memory devices, such as Static Random-Access Memory (SRAM), electrically erasable programmable Read-Only Memory (Electrically Erasable Programmable Read Only Memory, EEPROM), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), programmable Read-Only Memory (Programmable Read-Only Memory, PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk, or optical disk.
The communication component is configured to facilitate wired or wireless communication between the device in which the communication component is located and other devices. The device where the communication component is located can access a wireless network based on a communication standard, such as a mobile communication network of WiFi,2G, 3G, 4G/LTE, 5G, etc., or a combination thereof. In one exemplary embodiment, the communication component receives a broadcast signal or broadcast-related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component further includes a Near Field Communication (NFC) module to facilitate short range communications. For example, the NFC module may be implemented based on radio frequency identification (Radio Frequency Identification, RFID) technology, infrared data association (Infrared Data Association, irDA) technology, ultra Wideband (UWB) technology, blueTooth (BT) technology, and other technologies.
The power supply component provides power for various components of equipment where the power supply component is located. The power components may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the devices in which the power components are located.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, magnetic disk storage, CD-ROM (Compact Disc Read-Only Memory), optical storage, etc.) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (Central Processing Unit, CPUs), input/output interfaces, network interfaces, and memory. The memory may include volatile memory in a computer-readable medium, random access memory (Random Access Memory, RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase-change memory (Phase-change Random Access Memory, PRAM), static Random Access Memory (SRAM), dynamic random access memory (Dynamic Random Access Memory, DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital versatile disks (Digital Video Disc, DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims (14)

1. A network function virtualized NFV access system, comprising: the first gateway equipment is connected between the client virtual private cloud VPC and the service VPC; the client VPC comprises a client instance and a first virtual switch VS for providing data forwarding service for the client instance, wherein the service VPC comprises an NFV instance carrying an NFV network element and a second VS for providing data forwarding service for the NFV instance;
the first gateway device is configured to intercept a data packet of the client instance accessing the NFV instance through the first VS, perform inner-layer tunnel encapsulation on the data packet by using tenant information of the client instance as inner-layer tunnel information, perform outer-layer tunnel encapsulation on a packet subjected to inner-layer tunnel encapsulation by using identity information of the first gateway device, and send the packet subjected to outer-layer tunnel encapsulation to the second VS, so that the second VS forwards the packet to the NFV instance, thereby implementing access of the NFV instance.
2. The system according to claim 1, wherein the first gateway device, when intercepting the data packet of the client instance accessing the NFV instance via the first VS, is specifically configured to:
and receiving a first tunnel message sent by the first VS, wherein the first tunnel message is obtained by carrying out tunnel encapsulation on the data message by the first VS, and the tunnel information of the first tunnel message comprises tenant information of the client instance.
3. The system of claim 1, further comprising: a second gateway device interconnected with the first VS and the first gateway device;
the second gateway device is configured to receive a first tunnel packet sent by the first VS, where the first tunnel packet is obtained by tunneling and encapsulating the data packet by the first VS, the tunnel information of the first tunnel packet includes tenant information that the client instance belongs to, repackage the first tunnel packet into a second tunnel packet, and send the second tunnel packet and the tenant information that the client instance belongs to the first gateway device;
the first gateway device is specifically configured to, when intercepting a data packet of the client instance accessing the NFV instance via the first VS: and receiving a second tunnel message sent by the second gateway device and tenant information of the client instance.
4. A system according to any one of claims 1-3, wherein the first gateway device performs inner tunnel encapsulation on the data packet using tenant information to which the client instance belongs as inner tunnel information, including:
and respectively taking the address information of the first gateway equipment and the address information of the NFV instance as a source address and a destination address of inner-layer tunnel information, taking tenant information of the client instance as Virtual Network Identification (VNI) information of the inner-layer tunnel information, and performing inner-layer tunnel encapsulation on the data message.
5. The system of claim 4, wherein the first gateway device performs outer layer tunnel encapsulation on the message subjected to inner layer tunnel encapsulation with the identity information of the first gateway device, and the method comprises:
and taking the address information of the first gateway equipment and the address information of the second VS as a source address and a destination address of outer layer tunnel information, taking the identification information of the first gateway equipment as VNI information of the outer layer tunnel information, and performing outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel.
6. A network function virtualization, NFV, access method, applied to a first gateway device, the method comprising:
Intercepting a data message of an NFV instance accessed by a client instance through a first virtual switch VS;
taking tenant information of the client instance as inner layer tunnel information to perform inner layer tunnel encapsulation on the data message;
carrying out outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel by using the identity information of the first gateway equipment;
and sending the message packaged by the outer layer tunnel to a second VS corresponding to the NFV instance, so that the second VS is forwarded to the NFV instance, and the access of the NFV instance is realized.
7. The method of claim 6, wherein intercepting the data message of the client instance accessing the NFV instance via the first virtual switch VS comprises:
and receiving a first tunnel message sent by the first VS, wherein the first tunnel message is obtained by carrying out tunnel encapsulation on the data message by the first VS, and the tunnel information of the first tunnel message comprises tenant information of the client instance.
8. The method of claim 6, wherein intercepting the data message of the client instance accessing the NFV instance via the first virtual switch VS comprises:
receiving a second tunnel message and tenant information of the client instance, wherein the second tunnel message is obtained by performing tunnel encapsulation on a first tunnel message by the second gateway device, the first tunnel message is obtained by performing tunnel encapsulation on the data message by the first VS, and the tunnel information of the first tunnel message comprises the tenant information of the client instance.
9. The method according to any one of claims 6-8, wherein performing inner-layer tunnel encapsulation on the data packet with tenant information to which the client instance belongs as inner-layer tunnel information includes:
and respectively taking the address information of the first gateway equipment and the address information of the NFV instance as a source address and a destination address of inner-layer tunnel information, taking tenant information of the client instance as Virtual Network Identification (VNI) information of the inner-layer tunnel information, and performing inner-layer tunnel encapsulation on the data message.
10. The method of claim 9, wherein performing outer tunnel encapsulation on the message subjected to inner tunnel encapsulation with the identity information of the first gateway device comprises:
and taking the address information of the first gateway equipment and the address information of the second VS as a source address and a destination address of outer layer tunnel information, taking the identification information of the first gateway equipment as VNI information of the outer layer tunnel information, and performing outer layer tunnel encapsulation on the message encapsulated by the inner layer tunnel.
11. The method of claim 10, wherein the inner tunnel enclosure or the outer tunnel enclosure employs a generic network virtualization enclosure, GENEVE, or a virtual extended local area network, VXLAN, or IPv6 based segment routing SRv6, and wherein the inner tunnel enclosure and the outer tunnel enclosure use the same or different technology.
12. A network function virtualization NFV access method applied to a second gateway device, the method comprising:
receiving a first tunnel message sent by a first Virtual Switch (VS), wherein the first tunnel message is obtained by performing tunnel encapsulation on a data message of a client instance for accessing an NFV instance by the first VS, and the tunnel information of the first tunnel message comprises tenant information of the client instance;
repackaging the first tunnel message into a second tunnel message, and sending the second tunnel message and tenant information of the client instance to first gateway equipment, so that the first gateway equipment can perform inner tunnel encapsulation on the data message by taking the tenant information of the client instance as inner tunnel information, and perform outer tunnel encapsulation on the message subjected to the inner tunnel encapsulation by using identity information of the first gateway equipment, and then forward the message to the NFV instance through a second VS, thereby realizing access of the NFV instance.
13. A gateway device, comprising: a memory and a processor, the memory for storing a computer program; the processor, coupled to the memory, for executing the computer program, causes the processor to implement the steps of the method of any of claims 6-11 or the steps of the method of claim 12.
14. A computer readable storage medium storing a computer program, which when executed by a processor causes the processor to carry out the steps of the method of any one of claims 6-11 or the steps of the method of claim 12.
CN202211728770.9A 2022-12-30 2022-12-30 NFV access method, device, system and storage medium Pending CN116016188A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202211728770.9A CN116016188A (en) 2022-12-30 2022-12-30 NFV access method, device, system and storage medium
PCT/CN2023/143656 WO2024141093A1 (en) 2022-12-30 2023-12-29 Nfv access method and system, and device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211728770.9A CN116016188A (en) 2022-12-30 2022-12-30 NFV access method, device, system and storage medium

Publications (1)

Publication Number Publication Date
CN116016188A true CN116016188A (en) 2023-04-25

Family

ID=86026413

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211728770.9A Pending CN116016188A (en) 2022-12-30 2022-12-30 NFV access method, device, system and storage medium

Country Status (2)

Country Link
CN (1) CN116016188A (en)
WO (1) WO2024141093A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024141093A1 (en) * 2022-12-30 2024-07-04 杭州阿里云飞天信息技术有限公司 Nfv access method and system, and device and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10447498B2 (en) * 2017-10-06 2019-10-15 ZenDesk, Inc. Facilitating communications between virtual private clouds hosted by different cloud providers
US10880124B2 (en) * 2018-12-28 2020-12-29 Alibaba Group Holding Limited Offload controller control of programmable switch
CN114338606B (en) * 2020-09-25 2023-07-18 华为云计算技术有限公司 Public cloud network configuration method and related equipment
CN112422397B (en) * 2020-11-05 2022-04-08 中国联合网络通信集团有限公司 Service forwarding method and communication device
CN116016188A (en) * 2022-12-30 2023-04-25 阿里巴巴(中国)有限公司 NFV access method, device, system and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024141093A1 (en) * 2022-12-30 2024-07-04 杭州阿里云飞天信息技术有限公司 Nfv access method and system, and device and storage medium

Also Published As

Publication number Publication date
WO2024141093A1 (en) 2024-07-04

Similar Documents

Publication Publication Date Title
US11805056B2 (en) Method and system for service switching using service tags
US11671367B1 (en) Methods and apparatus for improving load balancing in overlay networks
US20190245809A1 (en) System and method for message handling in a network device
US11757773B2 (en) Layer-2 networking storm control in a virtualized cloud environment
US11184842B2 (en) Conveying non-access stratum messages over ethernet
US9871720B1 (en) Using packet duplication with encapsulation in a packet-switched network to increase reliability
US11743230B2 (en) Network address translation (NAT) traversal and proxy between user plane function (UPF) and session management function (SMF)
WO2021073565A1 (en) Service providing method and system
CN113454972A (en) Virtual service network
CN104704778A (en) Method and system for virtual and physical network integration
US20220239629A1 (en) Business service providing method and system, and remote acceleration gateway
WO2016062169A1 (en) Message transmission method and apparatus
US11496599B1 (en) Efficient flow management utilizing control packets
JP2022541381A (en) COMMUNICATION METHOD, GATEWAY, AND MANAGEMENT METHOD AND APPARATUS IN HYBRID CLOUD ENVIRONMENT
WO2024067338A1 (en) Cloud networking system, secure access method, and device and storage medium
US20230370371A1 (en) Layer-2 networking storm control in a virtualized cloud environment
WO2024141093A1 (en) Nfv access method and system, and device and storage medium
WO2019137540A1 (en) Gtp tunnels for the support of anchorless backhaul
EP4272379A1 (en) Layer-2 networking using access control lists in a virtualized cloud environment
EP3369217B1 (en) Multiple gateway operation on single operating system
CN116488958A (en) Gateway processing method, virtual access gateway, virtual service gateway and related equipment
US9853885B1 (en) Using packet duplication in a packet-switched network to increase reliability

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination